Share this article on:
Aultman Health Foundation, which runs Aultman Hospital in Canton, OH, is notifying approximately 42,600 patients that some of their protected health information may have been compromised as a result of a phishing attack.
Unauthorized and unknown individuals succeeded in gaining access to several email accounts used by employees of Aultman Hospital, its AultWorks Occupational Medicine division, and certain Aultman physician offices.
The unauthorized access was first detected on March 28, 2018 prompting a full investigation to determine the scope of the breach and whether any sensitive information was potentially accessed. Third-party information security experts were engaged to assist with the investigation and determined access to the email accounts occurred on several occasions starting in mid-February and continued until the breach was detected and remediated in late March.
The breach was limited to email accounts. The system that stores electronic medical records was not compromised. Email accounts used by Aultman hospital and certain physician practices contained names, addresses, clinical information, medical record numbers, and physicians’ names.
Individuals tested by AultWorks Occupational Medicine had a greater range of information exposed including name, address, date of birth, medical history, reports on physical examinations, the results of drug, hearing, and breathing tests, and other lab test results. Certain AultWorks Occupational Medicine patients also had their driver’s license number and/or Social Security number exposed. Social Security numbers were only exposed in cases where employers use Social Security numbers to identify employees/potential employees.
When the phishing attack was discovered Aultman Health Foundation performed a password reset to prevent any further unauthorized accessing of email accounts and ensured only strong, complex passwords could be set. Security monitoring has been improved to detect any future breaches more quickly and further security controls have been applied to email accounts to block future attacks. Employees have also been provided with further training to improve resilience to phishing attacks.
Aultman Health Foundation explained in a security breach FAQ that it was not possible to determine whether emails and email attachments containing PHI were opened and read by the individual(s) behind the attack; however, no reports have been received to date to suggest any information in the accounts has been misused.
All patients impacted by the incident have been advised to check their credit reports and Explanation of Benefits statements carefully for any sign of fraudulent use of their information and individuals whose driver’s license number or Social Security number were exposed have been offered complimentary credit monitoring services.